„Security Inside Out: Latest Innovations in Oracle Database 12c” Marcin Kozak, Architekt...
-
Upload
marketing-oracle-polska -
Category
Technology
-
view
573 -
download
2
description
Transcript of „Security Inside Out: Latest Innovations in Oracle Database 12c” Marcin Kozak, Architekt...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted1
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted2
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Release timing for Oracle Database 12c is planned for Calendar Year 2013.
Security Inside OutLatest Innovations in Oracle Database 12c
Marcin KozakArchitekt BezpieczeństwaOracle Polska
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted4
Billions of Database Records Breached Globally97% of Breaches Were Avoidable with Basic Controls
98% records stolenfrom databases
84% records breached using stolen credentials
71% fell within minutes
92% discovered by third party
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted7
“You don’t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees….”
Anatomy of an Attack
Uri RivnerCTO, RSA (Security Division of EMC)
Targets Increasing as Attacks Evolve DBAs, OS Admins, Developers, Multiple Copies of the Data, etc.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted8
Forrester Research
Network Security
SIEM
Endpoint Security
Web Application
Firewall
Email Security
Authentication & User Security
Database Security
?
Why are Databases so Vulnerable?80% of IT Security Programs Don’t Address Database Security
“Enterprises are taking on risks
that they may not even be aware
of. Especially as more and more
attacks against databases exploit
legitimate access.”
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted9
Oracle Database Security SolutionsDefense-in-Depth for Maximum Security
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted10
Oracle Database Security SolutionsDefense-in-Depth for Maximum Security
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted11
Transparent data encryption
Prevents access to data at rest
Requires no application changes
Built-in two-tier key management
“Near Zero” overhead with hardware
Integrations with Oracle technologies
– e.g. Exadata, Advanced Compression, ASM, Golden Gate, DataPump, etc.
Oracle Advanced Security
Encryption is the FoundationPreventive Control for Oracle Databases
Disk
Backups
Exports
Off-SiteFacilities
Applications
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted12
Real-time sensitive data redaction based on database session context
Library of redaction policies and point-and-click policy definition
Consistent enforcement, policies applied to data
Transparent to applications, users, and operational activities
Oracle Advanced Security
Redaction of Sensitive Data DisplayedPreventive Control for Oracle Database 12c
Credit Card Numbers4451-2172-9841-43685106-8395-2095-59387830-0032-0294-1827
Redaction Policy
xxxx-xxxx-xxxx-4368 4451-2172-9841-4368
Billing DepartmentCall Center
Application
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted13
Replace sensitive application data
Referential integrity detected/preserved
Extensible template library and formats
Application templates available
Support for masking data in non-Oracle databases
Oracle Data Masking
Masking Data for Non-Production UsePreventive Control for Oracle Databases
LAST_NAME SSN SALARY
ANSKEKSL 323—23-1111 60,000
BKJHHEIEDK 252-34-1345 40,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production
Non-Production
Dev
TestProduction
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted14
Limit DBA access to application data
Multi-factor SQL command rules
Realms create protective zones
Enforce enterprise data governance, least privilege, segregation of duties
Out of the box application policies
Database Vault
Privileged User ControlsPreventive Control for Oracle Databases
Procurement
HR
Finance
select * from finance.customers
Application DBA
Applications
SecurityDBA
DBA
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted15
Oracle Label Security
Label Based Access ControlPreventive Control for Oracle Databases
Transactions
Report Data
Reports
Confidential Sensitive
Sensitive
Confidential
Public
Virtual information partitioning for cloud, SaaS, hosting environments
Classify users and data using labels
Labels based on business drivers
Automatically enforced row level access control, transparent to applications
Labels can be factors in other policies
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted16
Oracle Database Security SolutionsDefense-in-Depth for Maximum Security
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted17
Oracle Audit Vault and Database Firewall
Database Activity Monitoring and FirewallDetective Control for Oracle and non-Oracle Databases
Monitors network traffic, detect and block unauthorized activity
Highly accurate SQL grammar analysis
Can detect/stop SQL injection attacks
Whitelist approach to enforce activity
Blacklists for managing high risk activity
Scalable secure software appliance
Block
LogAllow
AlertSubstituteApps
Whitelist Blacklist
SQL Analysis Policy
Factors
Users
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted18
Oracle Audit Vault and Database Firewall
Audit, Report, and Alert in Real-TimeDetective Control for Oracle and non-Oracle Databases
Audit Data &Event Logs
Policies
Built-inReports
Alerts
CustomReports
!
OS & Storage
Directories
Databases
Oracle Database
Firewall
Custom
SecurityAnalyst
Auditor
SOC Centralized secure repository delivered
as secure, scalable software appliance
Powerful alerting - thresholds, group-by
Out-of-the box and custom reports
Consolidated multi-source reporting
Built-in fine grain segregation of duties
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted19
Built-inReports
Alerts
CustomReports
!
Oracle Audit Vault and Database FirewallNew Solution for Oracle and Non-Oracle Databases
Firewall Events
Users
Applications
Database FirewallAllow
Log
Alert
Substitute
Block
Audit Data
Audit VaultOS, Directory, File System &
Custom Audit LogsPolicies
SecurityAnalyst
Auditor
SOC
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted20
Configuration Management
Oracle Database Security SolutionsDefense-in-Depth for Maximum Security
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Privilege Analysis
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted21
Oracle Database 12c Enterprise
Discover Use of Privileges and RolesAdministrative Control for Oracle Database 12c
Privilege Analysis
Create…Drop…Modify…DBA roleAPPADMIN role
Turn on privilege capture mode Report on actual privileges and roles
used in the database Helps revoke unnecessary privileges Enforce least privilege and reduce risks Increase security without disruption
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted22
Scan Oracle for sensitive data
Built-in, extensible data definitions
Discover application data models
Protect sensitive data appropriately: encrypt, redact, mask, audit…
Oracle Enterprise Manager 12c
Discover Sensitive Data and DatabasesAdministrative Control for Oracle Database 12c
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted23
Oracle Database Lifecycle Management
Configuration ManagementAdministrative Control for Oracle Databases
Discover
0 25 50 10
0
Number of servers
0 25 50 100
Number of CPUs
0 25 50 100
Memory
0 25 50 100
Local Storage (GB)
Scan & Monitor
Patch
$100K
Discover and classify databases
Scan for best practices, standards
Detect unauthorized changes
Automated remediation
Patching and provisioning
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted24
Oracle Database Security SolutionsDefense-in-Depth for Maximum Security
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted25
Oracle Database Security SolutionsCustomers Worldwide Rely on Oracle
SquareTwo Enables Fast Growth with Oracle Database Solutions
SquareTwo enables fast growth and regulatory compliance with Oracle Database security defense-in-depth solutions including Oracle Database Firewall, Oracle Data Masking, and Oracle Advanced Security
National Marrow Donor Program Database Defense-in-Depth
NMDP Secures life-saving patient and donor data with Oracle Advanced Security, Oracle Database Vault, and Oracle Data Masking
T-Mobile Protects 35 Million Subscribers Using Oracle
T-Mobile explains how they use Oracle Database Firewall, Oracle Advanced Security, and Oracle Data Masking to secure sensitive data across the organization in both Oracle and non-Oracle databases
TransUnion Interactive Uses Database Firewall for Compliance
Hear how TransUnion Interactive protects customer data and meets regulatory compliance with database actviity monitoring using Oracle Database Firewall
ETS Complies with PCI DSS Using Oracle Advanced Security
Educational Testing Service secures personally identifiable information (PII) and complies with regulatory requirements with Oracle Advanced Security
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted26
Oracle Database Security SolutionsSummary
Simple and Flexible
Enterprise Ready
Security and Compliance
Speed and Scale
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted27
Oracle Database Security Resourceswww.oracle.com/database/security
Data Sheets Whitepapers Webcasts Case Studies Events News and more…
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted28
Q&A
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted29
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted30
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Release timing for Oracle Database 12c is planned for Calendar Year 2013.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted31